You are the network administrator for your organization.
Your company uses a Windows Server 2008 R2 Enterprise Root CA.
The company has issued a new policythat prevents port 443 and port 80from being opened on domain
controllersand on issuing CAs.
Your users need to request certificates from a web interface.
You have already installed the AD CS role.
What do you need to do next?

A.
Configure the Certificate Authority Web Enrollment Service on a member server.

B.
Configure the Certificate Authority Web Enrollment Service on a domain server.

C.
Configure AD FS on member server to allow secure web-based access.

D.
Configure AD FS on domain controller to allow secure web-based access.

Explanation:
http://technet.microsoft.com/en-us/library/dd759209.aspx
Certificate Enrollment Web Service Overview
The Certificate Enrollment Web Service is an ActiveDirectory Certificate Services (AD CS) role service that
enables users and computers to perform certificate enrollment by using the HTTPS protocol. Together with the
Certificate Enrollment Policy Web Service, this enables policy-based certificate enrollment when the client
computer is not a member of a domain or when a domain member is not connected to the domain.
Personal note:
since domain controllers are off-limits (regarding open ports), you are left to install the Certificate Enrollment
Web Service role service on a plain member server